conf: Options of all plugins documented

Some options are still missing descriptions though.

conf/Makefile.am

@@ -8,7 +8,53 @@ options = \
 	options/charon-logging.opt
 
 plugins = \
-	plugins/test.opt
+	plugins/android_log.opt \
+	plugins/attr.opt \
+	plugins/attr-sql.opt \
+	plugins/certexpire.opt \
+	plugins/coupling.opt \
+	plugins/dhcp.opt \
+	plugins/dnscert.opt \
+	plugins/duplicheck.opt \
+	plugins/eap-aka.opt \
+	plugins/eap-aka-3ggp2.opt \
+	plugins/eap-dynamic.opt \
+	plugins/eap-gtc.opt \
+	plugins/eap-peap.opt \
+	plugins/eap-radius.opt \
+	plugins/eap-sim.opt \
+	plugins/eap-simaka-sql.opt \
+	plugins/eap-tls.opt \
+	plugins/eap-tnc.opt \
+	plugins/eap-ttls.opt \
+	plugins/error-notify.opt \
+	plugins/gcrypt.opt \
+	plugins/ha.opt \
+	plugins/ipseckey.opt \
+	plugins/led.opt \
+	plugins/kernel-klips.opt \
+	plugins/kernel-libipsec.opt \
+	plugins/kernel-netlink.opt \
+	plugins/kernel-pfroute.opt \
+	plugins/load-tester.opt \
+	plugins/lookip.opt \
+	plugins/ntru.opt \
+	plugins/openssl.opt \
+	plugins/pkcs11.opt \
+	plugins/radattr.opt \
+	plugins/random.opt \
+	plugins/resolve.opt \
+	plugins/socket-default.opt \
+	plugins/sql.opt \
+	plugins/stroke.opt \
+	plugins/systime-fix.opt \
+	plugins/tnc-ifmap.opt \
+	plugins/tnc-pdp.opt \
+	plugins/unbound.opt \
+	plugins/updown.opt \
+	plugins/whitelist.opt \
+	plugins/xauth-eap.opt \
+	plugins/xauth-pam.opt
 
 alloptions = $(options) $(plugins)
 

conf/plugins/android_log.opt

@@ -0,0 +1,2 @@
+charon.plugins.android_log.loglevel = 1
+	Loglevel for logging to Android specific logger.

conf/plugins/attr-sql.opt

@@ -0,0 +1,5 @@
+charon.plugins.attr-sql.database
+	Database URI for attr-sql plugin used by charon.
+
+charon.plugins.attr-sql.lease_history = yes
+	Enable logging of SQL IP pool leases.

conf/plugins/attr.opt

@@ -0,0 +1,14 @@
+charon.plugins.attr {}
+	Section to specify arbitrary attributes that are assigned to a peer via
+	configuration payload (CP).
+
+charon.plugins.attr.<attr>
+	<attr> is an attribute name or an integer, values can be an IP address,
+	subnet or arbitrary value.
+
+	**<attr>** can be either _address_, _netmask_, _dns_, _nbns_, _dhcp_,
+	_subnet_, _split-include_, _split-exclude_ or the numeric identifier of the
+	attribute type. The assigned value can be an IPv4/IPv6 address, a subnet in
+	CIDR notation or an arbitrary value depending on the attribute type.  For
+	some attribute types multiple values may be specified as a comma separated
+	list.

conf/plugins/certexpire.opt

@@ -0,0 +1,25 @@
+charon.plugins.certexpire.csv.cron
+	Cron style string specifying CSV export times.
+
+charon.plugins.certexpire.csv.empty_string =
+	String to use in empty intermediate CA fields.
+
+charon.plugins.certexpire.csv.fixed_fields = yes
+	Use a fixed intermediate CA field count.
+
+charon.plugins.certexpire.csv.force = yes
+	Force export of all trustchains we have a private key for.
+
+charon.plugins.certexpire.csv.format = %d:%m:%Y
+	**strftime**(3) format string to export expiration dates as.
+
+charon.plugins.certexpire.csv.local
+	**strftime**(3) format string for the CSV file name to export local
+	certificates to.
+
+charon.plugins.certexpire.csv.remote
+	**strftime**(3) format string for the CSV file name to export remote
+	certificates to.
+
+charon.plugins.certexpire.csv.separator = ,
+	CSV field separator.

conf/plugins/coupling.opt

@@ -0,0 +1,8 @@
+charon.plugins.coupling.file
+	File to store coupling list to.
+
+charon.plugins.coupling.hash = sha1
+	Hashing algorithm to fingerprint coupled certificates.
+
+charon.plugins.coupling.max = 1
+	Maximum number of coupling entries to create.

conf/plugins/dhcp.opt

@@ -0,0 +1,22 @@
+charon.plugins.dhcp.force_server_address = no
+	Always use the configured server address.
+
+	Always use the configured server address. This might be helpful if the DHCP
+	server runs on the same host as strongSwan, and the DHCP daemon does not
+	listen on the loopback interface.  In that case the server cannot be reached
+	via unicast (or even 255.255.255.255) as that would be routed via loopback.
+	Setting this option to yes and configuring the local broadcast address (e.g.
+	192.168.0.255) as server address might work.
+
+charon.plugins.dhcp.identity_lease = no
+	Derive user-defined MAC address from hash of IKE identity.
+
+charon.plugins.dhcp.server = 255.255.255.255
+	DHCP server unicast or broadcast IP address.
+
+charon.plugins.dhcp.interface
+	Interface name the plugin uses for address allocation.
+
+	Interface name the plugin uses for address allocation. The default is to
+	bind to any (0.0.0.0) and let the system decide which way to route the
+	packets to the DHCP server.

conf/plugins/dnscert.opt

@@ -0,0 +1,2 @@
+charon.plugins.dnscert.enable = no
+	Enable fetching of CERT RRs via DNS.

conf/plugins/duplicheck.opt

@@ -0,0 +1,5 @@
+charon.plugins.duplicheck.enable = yes
+	Enable duplicheck plugin (if loaded).
+
+charon.plugins.duplicheck.socket = unix://${piddir}/charon.dck
+	Socket provided by the duplicheck plugin.

conf/plugins/eap-aka-3ggp2.opt

@@ -0,0 +1 @@
+charon.plugins.eap-aka-3ggp2.seq_check =

conf/plugins/eap-aka.opt

@@ -0,0 +1 @@
+charon.plugins.eap-aka.request_identity = yes

conf/plugins/eap-dynamic.opt

@@ -0,0 +1,13 @@
+charon.plugins.eap-dynamic.preferred =
+	The preferred EAP method(s) to be used.
+
+	The preferred EAP method(s) to be used.  If it is not given the first
+	registered method will be used initially.  If a comma separated list is
+	given the methods are tried in the given order before trying the rest of
+	the registered methods.
+
+charon.plugins.eap-dynamic.prefer_user = no
+	Prefer peer's proposed EAP methods.
+
+	If enabled the EAP methods proposed in an EAP-Nak message sent by the peer
+	are preferred over the methods registered locally.

conf/plugins/eap-gtc.opt

@@ -0,0 +1,2 @@
+charon.plugins.eap-gtc.backend = pam
+	XAuth backend to be used for credential verification.

conf/plugins/eap-peap.opt

@@ -0,0 +1,20 @@
+charon.plugins.eap-peap.fragment_size = 1024
+	Maximum size of an EAP-PEAP packet.
+
+charon.plugins.eap-peap.max_message_count = 32
+	Maximum number of processed EAP-PEAP packets (0 = no limit).
+
+charon.plugins.eap-peap.include_length = no
+	Include length in non-fragmented EAP-PEAP packets.
+
+charon.plugins.eap-peap.phase2_method = mschapv2
+	Phase2 EAP client authentication method.
+
+charon.plugins.eap-peap.phase2_piggyback = no
+	Phase2 EAP Identity request piggybacked by server onto TLS Finished message.
+
+charon.plugins.eap-peap.phase2_tnc = no
+	Start phase2 EAP TNC protocol after successful client authentication.
+
+charon.plugins.eap-peap.request_peer_auth = no
+	Request peer authentication based on a client certificate.

conf/plugins/eap-radius.opt

@@ -0,0 +1,103 @@
+charon.plugins.eap-radius.accounting = no
+	Send RADIUS accounting information to RADIUS servers.
+
+charon.plugins.eap-radius.accounting_requires_vip = no
+	If enabled, accounting is disabled unless an IKE_SA has at least one
+	virtual IP.
+
+charon.plugins.eap-radius.class_group = no
+	Use class attributes in RADIUS-Accept messages as group membership
+	information.
+
+	Use the _class_ attribute sent in the RADIUS-Accept message as group
+	membership information that is compared to the groups specified in the
+	**rightgroups** option in **ipsec.conf**(5).
+
+charon.plugins.eap-radius.close_all_on_timeout = no
+	Closes all IKE_SAs if communication with the RADIUS server times out. If it
+	is not set only the current IKE_SA is closed.
+
+charon.plugins.eap-radius.dae.enable = no
+	Enables support for the Dynamic Authorization Extension (RFC 5176).
+
+charon.plugins.eap-radius.dae.listen = 0.0.0.0
+	Address to listen for DAE messages from the RADIUS server.
+
+charon.plugins.eap-radius.dae.port = 3799
+	Port to listen for DAE requests.
+
+charon.plugins.eap-radius.dae.secret
+	Shared secret used to verify/sign DAE messages.
+
+charon.plugins.eap-radius.eap_start = no
+	Send EAP-Start instead of EAP-Identity to start RADIUS conversation.
+
+charon.plugins.eap-radius.filter_id = no
+	Use filter_id attribute as group membership information.
+
+	If the RADIUS _tunnel_type_ attribute with value **ESP** is received, use
+	the _filter_id_ attribute sent in the RADIUS-Accept message as group
+	membership information that is compared to the groups specified in the
+	**rightgroups** option in **ipsec.conf**(5).
+
+charon.plugins.eap-radius.forward.ike_to_radius
+	RADIUS attributes to be forwarded from IKEv2 to RADIUS.
+
+	RADIUS attributes to be forwarded from IKEv2 to RADIUS (can be defined by
+	name or attribute number, a colon can be used to specify vendor-specific
+	attributes, e.g. Reply-Message, or 11, or 36906:12).
+
+charon.plugins.eap-radius.forward.radius_to_ike =
+	Same as ike_to_radius but from RADIUS to IKEv2.
+
+	Same as _charon.plugins.eap-radius.forward.ike_to_radius_ but from RADIUS to
+	IKEv2, a strongSwan specific private notify (40969) is used to transmit the
+	attributes.
+
+charon.plugins.eap-radius.id_prefix
+	Prefix to EAP-Identity, some AAA servers use a IMSI prefix to select the
+	EAP method.
+
+charon.plugins.eap-radius.nas_identifier = strongSwan
+	NAS-Identifier to include in RADIUS messages.
+
+charon.plugins.eap-radius.port = 1812
+	Port of RADIUS server (authentication).
+
+charon.plugins.eap-radius.secret =
+	Shared secret between RADIUS and NAS.
+
+charon.plugins.eap-radius.server =
+	IP/Hostname of RADIUS server.
+
+charon.plugins.eap-radius.servers {}
+	Section to specify multiple RADIUS servers.
+
+	Section to specify multiple RADIUS servers. The **nas_identifier**,
+	**secret**, **sockets** and **port** (or **auth_port**) options can be
+	specified for each server. A server's IP/Hostname can be configured using
+	the **address** option. The **acct_port** [1813] option can be used to
+	specify the port used for RADIUS accounting. For each RADIUS server a
+	priority can be specified using the **preference** [0] option.
+
+charon.plugins.eap-radius.sockets = 1
+	Number of sockets (ports) to use, increase for high load.
+
+charon.plugins.eap-radius.xauth {}
+	Section to configure multiple XAuth authentication rounds via RADIUS.
+
+	Section to configure multiple XAuth authentication rounds via RADIUS.
+	The subsections define so called authentication profiles with arbitrary
+	names. In each profile section one or more XAuth types can be configured,
+	with an assigned message. For each type a separate XAuth exchange will be
+	initiated and all replies get concatenated into the User-Password attribute,
+	which then gets verified over RADIUS.
+
+	Available XAuth types are **password**, **passcode**, **nextpin**, and
+	**answer**. This type is not relevant to strongSwan or the AAA server, but
+	the client may show a different dialog (along with the configured message).
+
+	To use the configured profiles, they have to be configured in the respective
+	connection in **ipsec.conf**(5) by appending the profile name, separated by
+	a colon, to the **xauth-radius** XAauth backend configuration in _rightauth_
+	or _rightauth2_, for instance, _rightauth2=xauth-radius:profile_.

conf/plugins/eap-sim.opt

@@ -0,0 +1 @@
+charon.plugins.eap-sim.request_identity = yes

conf/plugins/eap-simaka-sql.opt

@@ -0,0 +1,3 @@
+charon.plugins.eap-simaka-sql.database =
+
+charon.plugins.eap-simaka-sql.remove_used = no

conf/plugins/eap-tls.opt

@@ -0,0 +1,8 @@
+charon.plugins.eap-tls.fragment_size = 1024
+	Maximum size of an EAP-TLS packet.
+
+charon.plugins.eap-tls.max_message_count = 32
+	Maximum number of processed EAP-TLS packets (0 = no limit).
+
+charon.plugins.eap-tls.include_length = yes
+	Include length in non-fragmented EAP-TLS packets.

conf/plugins/eap-tnc.opt

@@ -0,0 +1,6 @@
+charon.plugins.eap-tnc.max_message_count = 10
+	Maximum number of processed EAP-TNC packets (0 = no limit).
+
+charon.plugins.eap-tnc.protocol = tnccs-1.1
+	IF-TNCCS protocol version to be used (_tnccs-1.1_, _tnccs-2.0_,
+	_tnccs-dynamic_).

conf/plugins/eap-ttls.opt

@@ -0,0 +1,20 @@
+charon.plugins.eap-ttls.fragment_size = 1024
+	Maximum size of an EAP-TTLS packet.
+
+charon.plugins.eap-ttls.max_message_count = 32
+	Maximum number of processed EAP-TTLS packets (0 = no limit).
+
+charon.plugins.eap-ttls.include_length = yes
+	Include length in non-fragmented EAP-TTLS packets.
+
+charon.plugins.eap-ttls.phase2_method = md5
+	Phase2 EAP client authentication method.
+
+charon.plugins.eap-ttls.phase2_piggyback = no
+	Phase2 EAP Identity request piggybacked by server onto TLS Finished message.
+
+charon.plugins.eap-ttls.phase2_tnc = no
+	Start phase2 EAP TNC protocol after successful client authentication.
+
+charon.plugins.eap-ttls.request_peer_auth = no
+	Request peer authentication based on a client certificate.

conf/plugins/error-notify.opt

@@ -0,0 +1,2 @@
+charon.plugins.error-notify.socket = unix://${piddir}/charon.enfy
+	Socket provided by the error-notify plugin.

conf/plugins/gcrypt.opt

@@ -0,0 +1,2 @@
+charon.plugins.gcrypt.quick_random = no
+	Use faster random numbers in gcrypt; for testing only, produces weak keys!

conf/plugins/ha.opt

@@ -0,0 +1,23 @@
+charon.plugins.ha.autobalance = 0
+	Interval in seconds to automatically balance handled segments between nodes.
+	Set to 0 to disable.
+
+charon.plugins.ha.fifo_interface = yes
+
+charon.plugins.ha.heartbeat_delay = 1000
+
+charon.plugins.ha.heartbeat_timeout = 2100
+
+charon.plugins.ha.local =
+
+charon.plugins.ha.monitor = yes
+
+charon.plugins.ha.pools =
+
+charon.plugins.ha.remote =
+
+charon.plugins.ha.resync = yes
+
+charon.plugins.ha.secret =
+
+charon.plugins.ha.segment_count = 1

conf/plugins/ipseckey.opt

@@ -0,0 +1,2 @@
+charon.plugins.ipseckey.enable = no
+	Enable fetching of IPSECKEY RRs via DNS.

conf/plugins/kernel-klips.opt

@@ -0,0 +1,5 @@
+charon.plugins.kernel-klips.ipsec_dev_count = 4
+	Number of ipsecN devices.
+
+charon.plugins.kernel-klips.ipsec_dev_mtu = 0
+	Set MTU of ipsecN device.

conf/plugins/kernel-libipsec.opt

@@ -0,0 +1,7 @@
+charon.plugins.kernel-libipsec.allow_peer_ts = no
+	Allow that the remote traffic selector equals the IKE peer.
+
+	Allow that the remote traffic selector equals the IKE peer. The route
+	installed for such traffic (via TUN device) usually prevents further IKE
+	traffic. The fwmark options for the _kernel-netlink_ and _socket-default_
+	plugins can be used to circumvent that problem.

conf/plugins/kernel-netlink.opt

@@ -0,0 +1,18 @@
+charon.plugins.kernel-netlink.fwmark =
+	Firewall mark to set on the routing rule that directs traffic to our routing
+	table.
+
+	Firewall mark to set on the routing rule that directs traffic to our routing
+	table. The format is [!]mark[/mask], where the optional exclamation mark
+	inverts the meaning (i.e. the rule only applies to packets that don't match
+	the mark).
+
+charon.plugins.kernel-netlink.roam_events = yes
+	Whether to trigger roam events when interfaces, addresses or routes change.
+
+charon.plugins.kernel-netlink.xfrm_acq_expires = 165
+	Lifetime of XFRM acquire state in kernel.
+
+	Lifetime of XFRM acquire state in kernel. The value gets written to
+	/proc/sys/net/core/xfrm_acq_expires. Indirectly controls the delay of XFRM
+	acquire messages sent.

conf/plugins/kernel-pfroute.opt

@@ -0,0 +1,3 @@
+charon.plugins.kernel-pfroute.vip_wait = 1000
+	Time in ms to wait until virtual IP addresses appear/disappear before
+	failing.

conf/plugins/led.opt

@@ -0,0 +1,3 @@
+charon.plugins.led.activity_led =
+
+charon.plugins.led.blink_time = 50

conf/plugins/load-tester.opt

@@ -0,0 +1,4 @@
+charon.plugins.load-tester {}
+	Section to configure the load-tester plugin, see LOAD TESTS in
+	**strongswan.conf**(5)
+

conf/plugins/lookip.opt

@@ -0,0 +1,2 @@
+charon.plugins.lookip.socket = unix://${piddir}/charon.lkp
+	Socket provided by the lookip plugin.

conf/plugins/ntru.opt

@@ -0,0 +1,8 @@
+charon.plugins.ntru.max_drbg_requests = 4294967294
+	Number of pseudo-random bit requests from the DRBG before an automatic
+	reseeding occurs.
+
+charon.plugins.ntru.parameter_set = optimum
+	The following parameter sets are available: **x9_98_speed**,
+	**x9_98_bandwidth**, **x9_98_balance** and **optimum**, the last set not
+	being part of the X9.98 standard but having the best performance.

conf/plugins/openssl.opt

@@ -0,0 +1,5 @@
+charon.plugins.openssl.engine_id = pkcs11
+	ENGINE ID to use in the OpenSSL plugin.
+
+charon.plugins.openssl.fips_mode = 0
+	Set OpenSSL FIPS mode: disabled(0), enabled(1), Suite B enabled(2).

conf/plugins/pkcs11.opt

@@ -0,0 +1,26 @@
+charon.plugins.pkcs11.modules {}
+	List of available PKCS#11 modules.
+
+charon.plugins.pkcs11.load_certs = yes
+	Whether to load certificates from tokens.
+
+charon.plugins.pkcs11.reload_certs = no
+	Reload certificates from all tokens if charon receives a SIGHUP.
+
+charon.plugins.pkcs11.use_dh = no
+	Whether the PKCS#11 modules should be used for DH and ECDH (see _use_ecc_
+	option).
+
+charon.plugins.pkcs11.use_ecc = no
+	Whether the PKCS#11 modules should be used for ECDH and ECDSA public key
+	operations. ECDSA private keys can be used regardless of this option.
+
+charon.plugins.pkcs11.use_hasher = no
+	Whether the PKCS#11 modules should be used to hash data.
+
+charon.plugins.pkcs11.use_pubkey = no
+	Whether the PKCS#11 modules should be used for public key operations, even
+	for keys not stored on tokens.
+
+charon.plugins.pkcs11.use_rng = no
+	Whether the PKCS#11 modules should be used as RNG.

conf/plugins/radattr.opt

@@ -0,0 +1,9 @@
+charon.plugins.radattr.dir =
+	Directory where RADIUS attributes are stored in client-ID specific files.
+
+charon.plugins.radattr.message_id = -1
+	Add attributes to all IKE_AUTH messages (-1) or only to the one with the
+	given message ID.
+
+	Attributes are added to all IKE_AUTH messages by default (-1), or only to
+	the IKE_AUTH message with the given IKEv2 message ID.

conf/plugins/random.opt

@@ -0,0 +1,9 @@
+charon.plugins.random.random = ${random_device}
+	File to read random bytes from.
+
+charon.plugins.random.urandom = ${urandom_device}
+	File to read pseudo random bytes from.
+
+charon.plugins.random.strong_equals_true = no
+	If set to yes the RNG_STRONG class reads random bytes from the same source
+	as the RNG_TRUE class.

conf/plugins/resolve.opt

@@ -0,0 +1,11 @@
+charon.plugins.resolve.file = /etc/resolv.conf
+	File where to add DNS server entries.
+
+charon.plugins.resolve.resolvconf.iface_prefix = lo.inet.ipsec.
+	Prefix used for interface names sent to resolvconf(8).
+
+	Prefix used for interface names sent to **resolvconf**(8). The nameserver
+	address is appended to this prefix to make it unique.  The result has to be
+	a valid interface name according to the rules defined by resolvconf.  Also,
+	it should have a high priority according to the order defined in
+	**interface-order**(5).

conf/plugins/socket-default.opt

@@ -0,0 +1,11 @@
+charon.plugins.socket-default.fwmark =
+	Firewall mark to set on outbound packets.
+
+charon.plugins.socket-default.set_source = yes
+	Set source address on outbound packets, if possible.
+
+charon.plugins.socket-default.use_ipv4 = yes
+	Listen on IPv4, if possible.
+
+charon.plugins.socket-default.use_ipv6 = yes
+	Listen on IPv6, if possible.

conf/plugins/sql.opt

@@ -0,0 +1,5 @@
+charon.plugins.sql.database =
+	Database URI for charons SQL plugin.
+
+charon.plugins.sql.loglevel = -1
+	Loglevel for logging to SQL database.

conf/plugins/stroke.opt

@@ -0,0 +1,15 @@
+charon.plugins.stroke.ignore_missing_ca_basic_constraint = no
+	Treat certificates in ipsec.d/cacerts and ipsec.conf ca sections as CA
+	certificates even if they don't contain a CA basic constraint.
+
+charon.plugins.stroke.max_concurrent = 4
+	Maximum number of stroke messages handled concurrently.
+
+charon.plugins.stroke.prevent_loglevel_changes = no
+	If enabled log level changes via stroke socket are not allowed.
+
+charon.plugins.stroke.socket = unix://${piddir}/charon.ctl
+	Socket provided by the stroke plugin.
+
+charon.plugins.stroke.timeout = 0
+	Timeout in ms for any stroke command. Use 0 to disable the timeout.

conf/plugins/systime-fix.opt

@@ -0,0 +1,12 @@
+charon.plugins.systime-fix.interval = 0
+	Interval in seconds to check system time for validity. 0 disables the check.
+
+charon.plugins.systime-fix.reauth = no
+	Whether to use reauth or delete if an invalid cert lifetime is detected.
+
+charon.plugins.systime-fix.threshold =
+	Threshold date where system time is considered valid. Disabled if not
+	specified.
+
+charon.plugins.systime-fix.threshold_format = %Y
+	**strptime**(3) format used to parse threshold option.

conf/plugins/test.opt

@@ -1,30 +0,0 @@
-charon.plugins.test.opt
-	This is a normal option without default
-
-charon.plugins.test.noncomment := set this
-	This will not be commented out
-
-charon.plugins.test.def = default
-	Option with default
-
-charon.plugins.test.sectionnocomment.opt = val
-	The section this is in has no description
-
-charon.plugins.test.sub {}
-	This section has comments
-
-charon.plugins.test.sub.opt = option in sub
-	Section option
-
-charon.plugins.test.<commented> { # }
-	Commented example section
-
-charon.plugins.test.<commented>.val = value
-	This is commented anyway
-
-charon.plugins.test.<commented>.assign := value
-	This is commented too because of the commented section
-
-charon.plugins.test.sub = value
-	Sections can also be options with values
-	Longer description with **bold** and _italic_.

conf/plugins/tnc-ifmap.opt

@@ -0,0 +1,20 @@
+charon.plugins.tnc-ifmap.client_cert =
+	Path to X.509 certificate file of IF-MAP client.
+
+charon.plugins.tnc-ifmap.client_key =
+	Path to private key file of IF-MAP client.
+
+charon.plugins.tnc-ifmap.device_name =
+	Unique name of strongSwan server as a PEP and/or PDP device.
+
+charon.plugins.tnc-ifmap.renew_session_interval = 150
+	Interval in seconds between periodic IF-MAP RenewSession requests.
+
+charon.plugins.tnc-ifmap.server_uri = https://localhost:8444/imap
+	URI of the form [https://]servername[:port][/path].
+
+charon.plugins.tnc-ifmap.server_cert =
+	Path to X.509 certificate file of IF-MAP server.
+
+charon.plugins.tnc-ifmap.username_password =
+	Credentials of IF-MAP client of the form username:password.

conf/plugins/tnc-pdp.opt

@@ -0,0 +1,23 @@
+charon.plugins.tnc-pdp.pt_tls.enable = yes
+	Enable PT-TLS protocol on the strongSwan PDP.
+
+charon.plugins.tnc-pdp.pt_tls.port = 271
+	PT-TLS server port the strongSwan PDP is listening on.
+
+charon.plugins.tnc-pdp.radius.enable = yes
+	Enable RADIUS protocol on the strongSwan PDP.
+
+charon.plugins.tnc-pdp.radius.method = ttls
+	EAP tunnel method to be used.
+
+charon.plugins.tnc-pdp.radius.port = 1812
+	RADIUS server port the strongSwan PDP is listening on.
+
+charon.plugins.tnc-pdp.radius.secret =
+	Shared RADIUS secret between strongSwan PDP and NAS.
+
+charon.plugins.tnc-pdp.server =
+	Name of the strongSwan PDP as contained in the AAA certificate.
+
+charon.plugins.tnc-pdp.timeout =
+	Timeout in seconds before closing incomplete connections.

conf/plugins/unbound.opt

@@ -0,0 +1,17 @@
+charon.plugins.unbound.resolv_conf = /etc/resolv.conf
+	File to read DNS resolver configuration from.
+
+charon.plugins.unbound.trust_anchors = /etc/ipsec.d/dnssec.keys
+	File to read DNSSEC trust anchors from (usually root zone KSK).
+
+	File to read DNSSEC trust anchors from (usually root zone KSK). The format
+	of the file is the standard DNS Zone file format, anchors can be stored as
+	DS or DNSKEY entries in the file.
+
+charon.plugins.unbound.dlv_anchors =
+	File to read trusted keys for DLV (DNSSEC Lookaside Validation) from.
+
+	File to read trusted keys for DLV (DNSSEC Lookaside Validation) from. It
+	uses the same format as _trust_anchors_. Only one DLV can be configured,
+	which is then used as a root trusted DLV, this means that it is a lookaside
+	for the root.

conf/plugins/updown.opt

@@ -0,0 +1,7 @@
+charon.plugins.updown.dns_handler = no
+	Whether the updown script should handle assigned DNS servers (if enabled
+	they can't be handled by other plugins, like resolve).
+
+	Whether the updown script should handle DNS servers assigned via IKEv1 Mode
+	Config or IKEv2 Config Payloads (if enabled they can't be handled by other
+	plugins, like resolve)

conf/plugins/whitelist.opt

@@ -0,0 +1,6 @@
+charon.plugins.whitelist.enable = yes
+	Enable loaded whitelist plugin.
+
+charon.plugins.whitelist.socket = unix://${piddir}/charon.wlst
+	Socket provided by the whitelist plugin.
+

conf/plugins/xauth-eap.opt

@@ -0,0 +1,2 @@
+charon.plugins.xauth-eap.backend = radius
+	EAP plugin to be used as backend for XAuth credential verification.

conf/plugins/xauth-pam.opt

@@ -0,0 +1,9 @@
+charon.plugins.xauth-pam.pam_service = login
+	PAM service to be used for authentication.
+
+charon.plugins.xauth-pam.session = no
+	Open/close a PAM session for each active IKE_SA.
+
+charon.plugins.xauth-pam.trim_email = yes
+	If an email address is received as an XAuth username, trim it to just the
+	username part.